U.S. schools' approach to student data threatens privacy: study

NEW YORK (Reuters) - School districts across the United States are failing to properly protect troves of sensitive student data as they rush to adopt new online systems pitched by private companies, a report released on Friday found.

Most of the 23 school districts studied had inadequate privacy protections and poorly defined contracts with outside vendors that left student data vulnerable, said the Center on Law and Information Policy at Fordham Law School, which conducted the review.

In most of districts studied, parents did not have to consent to the outside use of their child’s information, and many agreements did not place clear limits on how vendors who provide online services to track student health or assignments could use the data they collected.

In the cloud-based model - a broad term for companies that provide software which users can access remotely rather than install and manage on their own computers - vendors sometimes offer their services at a low cost in the hope of making money off the data they collect.

Almost none of the districts looked at specifically restricted the marketing of student information by the vendors, the study found.

It also noted that such practices were often in violation of the Family Educational Rights and Privacy Act, a U.S. law that sets forth strict guidelines requiring that students and parents control access to and amend student records.

“Schools right now are unable to deal effectively with privacy issues,” said Joel Reidenberg, the lead author of the study. “They’re not in a position to understand the implications of some of the services they’re contracting.”

The study examined policies in a wide swath of districts across the country, ranging from the 204,000-student Houston Independent School District to Echo School District, in Oregon, which has just 264 students.

Cloud computing now plays a role in everything from homework and testing to college counseling.

That can mean handing over huge and diverse amounts of data to third-party vendors. A payment mechanism used in the lunchroom could give a vendor access to what students are eating and which students qualify for federal free lunch, considered a measure of poverty, Reidenberg noted.

Online health classes, which have gained traction in recent years, retain information about students’ weight and exercise habits.

A significant amount of the data now being used in schools is not even covered under federal legislation as the law fails to keep up with the ever-expanding educational technology sphere, the study warned.

Earlier this year, inBloom Inc, a student data collecting initiative funded by the Bill & Melinda Gates Foundation, stirred up controversy among parents for its plans to compile students’ private information into a national database for business contracting with public schools. Many districts subsequently cut their ties with the database.

The fact that many education technology companies providing cloud services to school districts are looking toward student data as a way to finance themselves puts them in murky legal territory, said Khaliah Barnes, who heads the Student Privacy Project at the Electronic Privacy Information Center.

Schools using these technologies, Barnes said, simply do not have the legal and technical knowledge necessary to keep up.

“It’s not the technology itself that’s a problem,” said Reidenberg. “But school districts need to be paying more attention.”